Skip to content
This repository

Easy linux system management for schools

Octocat-spinner-32 acl web: Remove ActiveRecord January 24, 2014
Octocat-spinner-32 app Merge jokor-mountpoint branch to the master April 14, 2014
Octocat-spinner-32 config Merge jokor-mountpoint branch to the master April 14, 2014
Octocat-spinner-32 db The seed data is always for hogwarts February 18, 2014
Octocat-spinner-32 debian.default Web: extract puavo-web-core deb package January 22, 2014
Octocat-spinner-32 doc Update February 18, 2014
Octocat-spinner-32 features Merge jokor-mountpoint branch to the master April 14, 2014
Octocat-spinner-32 lib Merge branch 'no-oauth' January 23, 2014
Octocat-spinner-32 public Remove OAuth code January 10, 2014
Octocat-spinner-32 rest rest: Add test for GET /v3/users April 23, 2014
Octocat-spinner-32 script web: Remove ActiveRecord January 24, 2014
Octocat-spinner-32 spec Merge jokor-mountpoint branch to the master April 14, 2014
Octocat-spinner-32 test rest: use yajl to parse json from fluent December 18, 2013
Octocat-spinner-32 vendor remove unused javascript files May 28, 2013
Octocat-spinner-32 .gitignore web: manually create worker keys January 21, 2014
Octocat-spinner-32 .gitmodules Drop submodules March 21, 2013
Octocat-spinner-32 COPYING Added licence November 12, 2010
Octocat-spinner-32 Gemfile web: Use Gibberish to encrypt data during import January 22, 2014
Octocat-spinner-32 Gemfile.lock Merge branch 'no-oauth' January 23, 2014
Octocat-spinner-32 Gemfile.shared Merge branch 'no-oauth' January 23, 2014
Octocat-spinner-32 Makefile web: add Makefile task for db seeds April 23, 2014
Octocat-spinner-32 README.rdoc lol, it's not easy April 29, 2013
Octocat-spinner-32 Rakefile Make Rails 3 to boot March 19, 2013
Octocat-spinner-32 VERSION version 0.8.0 February 19, 2014
Octocat-spinner-32 remove old debbox var November 27, 2013
Octocat-spinner-32 Add rails 3 files March 19, 2013
Octocat-spinner-32 cucumber.yml First commit May 12, 2010
Octocat-spinner-32 generic_test_helpers.rb Remove OAuth code January 10, 2014
Octocat-spinner-32 monkeypatches.rb web: better monkeypatch for schema cache January 24, 2014
Octocat-spinner-32 package.json Use Stylus instead of SASS May 08, 2013


Puavo-users is a user management tool for schools using linux based computer systems. The goals are ease of use, integration with existing applications used in schools and security.


The main features of Puavo user management tool are:

  • Easy to use - users need no knowledge of LDAP

  • LDAP, samba and kerberos password syncing with smbkrb5pwd - passwords can be changed from any application

  • Support for multiple organisations and ldap databases using single installation

  • LDAP connections using user accounts - no root password in web server configuration

  • Covered by tests - making sure that nothing breaks when doing changes

Data model

Puavo's group model is non-traditional as one cannot add users directly in system groups, but in roles instead. Roles act as a layer between system groups and users. Roles can have multiple groups and when roles are added to user, user becomes a member of all the groups that belong to the added roles. When user roles are set correctly, one can add easily new system groups in roles making system administrators life a breeze. Admins in schools need no knowledge of system groups needed e.g. for file system or printing.

The data model in Puavo is structured like this:

  • Organisations

  • Schools

  • Roles

  • Groups

  • Users

Organisations have owners that have rights to add and modify all schools. Every school has administrator users who have rights to modify users within the school.

Puavo-users supports multiple organisations in multiple ldap databases. The correct domain is determined from the domain name of the http request. Also multiple https domains are supported.


Puavo-users is built using Ruby on Rails and is designed to be used with OpenLDAP and MIT kerberos. Using Heimdal kerberos implementation should also be possible with little work. Development has been done on Ubuntu 10.04 and installation instructions are written for it. There should be no reason why it wouldn't work in other environments, though.

MIT kerberos support is provided by smbkrb5pwd overlay that is not part OpenLDAP package, but is available from this repository. smbkrb5pwd intercepts LDAP password change requests and changes ldap, samba and kerberos passwords with a single request. Working MIT kerberos setup with kadmind is required for this to work as the password is changed by contacting kadmind. There are pre-compiled binaries available for Ubuntu 10.04 in Opinsys’s PPA in Launchpad. See installation instructions for smbkrb5pwd for more information.

Get started

To get started, these steps are needed:

  1. Install Ubuntu 12.04 server (preferably 64-bit version)

  2. Get the sources for puavo-users using git

  3. Setup the database

  4. Configure Puavo server

  5. Run the server


What needs to be done:

  • authentication support for web applications (Moodle, Mediawiki, Wordpress, Google Apps, etc..)

  • finish samba support

  • command line tools

  • device support

  • password quality checks

  • fix error messages and improve user interface

  • tools to move users between schools


Copyright © 2010 Opinsys Oy

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

Something went wrong with that request. Please try again.